A secure cookie, also known as httpOnly cookie, is a type of cookie that only works with HTTP/HTTPS and does not work for scripting languages like JavaScript. Since it is only used in storing information and used for hypertext transfer protocol requests and data over the internet, exploits and hacks made through scripting are unable to access them. So a secure cookie’s main benefit is that it can stop theft through cross-site scripting (XSS).
A secure cookie always has the secure attribute activated, so it is used mostly via HTTPS and securely transmitted with encrypted connections. The httpOnly flag in the secure cookie header ensures that JavaScript or any non-HTTP methods cannot access the cookie. The cookie works through the assistance of two headers: set-cookie and cookie. The job of the set-cookie header is to create a secured cookie on the user’s system in response to a http request. While the cookie header is part of the application with an http request sent to the server to validate if there is a secure cookie that matches the domain and path requested.
The secure attribute and httpOnly flag work together to ensure that the browser is able to restrict access to the secure cookie data from malicious scripts that may have infected the browser or the network. This mitigates many of the damages that many XSS attacks can cause, specifically those that target cookies.